[R-pkg-devel] What to do when a package is archived from CRAN

SHIMA Tatsuya t@1@1@ndn @end|ng |rom gm@||@com
Tue Aug 29 12:12:09 CEST 2023


Hi Uwe, thanks for the summary of the background.
Let me ask you a few questions about a couple of points.

 > Accepting a package that downloads crates from github

I don't think prqlr 0.5.0 downloads crates on GitHub.
prqlr <= 0.4.0 use crate on GitHub which I patched to support old Rust 
on Debian <https://github.com/PRQL/prql/pull/1561>, but with 0.5.0 I 
switched to installing from crates.io completely.
(This was made possible because Debian recently upgraded Rust for the 
first time in six months.)

 > All the correspondence we see claims that the submission had bundled 
the rust code, but the version that got archived after publication was 
104KB and did not.

I am aware that in the first submission of prqlr 0.5.0, the size of the 
source was 12MB due to the vendoring all Rust dependent crates and CRAN 
pointed out the size of 12MB as a reason for rejection.
That is why in my second submission I wrote the following comment that I 
had removed the vendoring tarball.

 > To reduce package size on CRAN, it does not vendor dependent Rust crates.

https://github.com/eitsupi/prqlr/pull/161/commits/9aba66647fa5e48da0a5983643a4df001721b3f7#diff-cf8c1cd4cfb6a9ceb5ba522a5711321831948fea41fbb0cd9f799506c7caca1bR22-R27

In other words, I did not claim to have bundled the Rust code.
And that second submission was accepted by CRAN and I have not received 
any further messages from CRAN.

I am aware that the CRAN policy says that we can ask CRAN for permission 
to download from the internet.
I intended to ask for that in this comment.

If I am doing this wrong, what should I do?

Thanks for reading this.

Best,
Tatsuya

On 2023/08/28 17:24, Uwe Ligges wrote:
> Friends,
>
> CRAN wrote initially to some rust using maintainers:
>
> The CRAN policy on authorship/copyright is very clear:
>
> "(’All components’ includes any downloaded at installation or during 
> use.) "
>
> Please explain how your package complies if you believe it does.
>
> Further, we ask that you use the 'cargo vendor' mechanism to avoid 
> downloading during installation and limit the number of CPUs 'cargo 
> build' can use during installation.  Both points are covered in 
> <https://cran.r-project.org/web/packages/using_rust.html>."
>
>
>
>
> Accepting a package that downloads crates from github happened 
> automatically, but incorrectly (a false negative):
> All the correspondence we see claims that the submission had bundled 
> the rust code, but the version that got archived after publication was 
> 104KB and did not.
>
> So please simply follow the mails you got and fix the package folwing 
> the "using_rust" documentation.
>
> In addition, it was mentined already to get the authorship straight.
>
> Best,
> Uwe Ligges
>
>
>
>
>
>
>
> On 27.08.2023 17:28, SHIMA Tatsuya wrote:
>> Hi Tim, thank you for sharing this information. i didn't know this.
>>
>> If this is the cause, the problem seems to have been resolved in the 
>> latest serde <https://github.com/serde-rs/serde/pull/2590>, so it 
>> seems to be possible to deal with it.
>>
>> Best,
>> Tatsuya
>>
>> On 2023/08/27 20:24, Tim Taylor wrote:
>>> Could you have been caught out with the precompiled binary that 
>>> serde started distributing in a few of it’s versions 
>>> (https://github.com/serde-rs/serde/issues/2538)? That could have 
>>> been a reason if you pinned a version with it present but only CRAN 
>>> could confirm if that was the reason.
>>>
>>> Tim
>>>
>>>> On 26 Aug 2023, at 22:22, Ivan Krylov <krylov.r00t using gmail.com> wrote:
>>>>
>>>> On Sat, 26 Aug 2023 11:46:44 +0900
>>>> SHIMA Tatsuya <ts1s1andn using gmail.com> wrote:
>>>>
>>>>> I noticed that my submitted package `prqlr` 0.5.0 was archived from
>>>>> CRAN on 2023-08-19.
>>>>> <https://CRAN.R-project.org/package=prqlr>
>>>>>
>>>>> I submitted prqlr 0.5.0 on 2023-08-13. I believe I have since only
>>>>> received word from CRAN that it passed the automated release process.
>>>>
>>>> Sarah gave a good guess (although there are CRAN packages containing
>>>> C++ and Rust code with NOTEs about size of their libs, 18.2Mb is still
>>>> a lot), though I do find it strange that you didn't receive anything
>>>> from CRAN prior to having your package archived. I don't think I ever
>>>> had problems with e-mails being delivered from CRAN to GMail, but we
>>>> can't rule that out.
>>>>
>>>> You've obviously made an effort to follow the Rust policy, and I don't
>>>> see any obvious problems with this part of the package, although I
>>>> haven't tried it myself to verify the installation working offline 
>>>> from
>>>> bundled source code.
>>>>
>>>> You've also made an effort to list all the authors of the code
>>>> comprising your package in inst/AUTHORS, which is the right thing 
>>>> to do
>>>> to avoid making the list of authors in DESCRIPTION long enough to be
>>>> unreadable.
>>>>
>>>> You licensed the package as MIT. Are your dependencies compatible with
>>>> MIT? All direct dependencies of your Rust code seem to be licensed
>>>> under either MIT or Apache-2.0, which seems to be compatible. You 
>>>> named
>>>> the copyright holder of your package as "prqlr authors", which may 
>>>> be a
>>>> problem. (I think I saw it somewhere that for MIT license, CRAN 
>>>> prefers
>>>> the copyright holder to be some kind of legal entity: either the legal
>>>> name of a person, or a company, or something like that.)
>>>>
>>>> Could the Rust code or any of the dependencies accidentally write 
>>>> under
>>>> the user's home directory or take over the terminal or something like
>>>> that?
>>>>
>>>> We might need a response from CRAN after all.
>>>>
>>>> -- 
>>>> Best regards,
>>>> Ivan
>>>>
>>>> ______________________________________________
>>>> R-package-devel using r-project.org mailing list
>>>> https://stat.ethz.ch/mailman/listinfo/r-package-devel
>>
>> ______________________________________________
>> R-package-devel using r-project.org mailing list
>> https://stat.ethz.ch/mailman/listinfo/r-package-devel



More information about the R-package-devel mailing list